Tracing emails and people via them…

So this is a follow up (as promised) to my previous article on tracing people.  This one takes the different and more requested view of tracing emails and reading headers.

First we will take an example email from one of my inboxes…

Return-path: <katie@sorbs.net>
Received: from [192.168.1.100] (c121-71.i07-31.onvol.net [92.251.121.71])
	by nemesis.sorbs.net
	(iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net> for matthew@sorbs.net; Wed,
	23 Feb 2011 06:19:07 +1000 (EST)
Date: Tue, 22 Feb 2011 21:20:05 +0100
From: Katie Crothers <katie@sorbs.net>
To: matthew@sorbs.net
Message-id: <4D641A75.30405@sorbs.net>
MIME-version: 1.0
Content-type: text/plain; format=flowed; charset=ISO-8859-1
Content-transfer-encoding: 7bit
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13)
	Gecko/20101207 Thunderbird/3.1.7
Original-recipient: rfc822;matthew@sorbs.net

Loved your blog, Matthew.

I wouldn't expect anything less from someone with Multiple Personality
Disorder.

Cheers for the laugh.

So as we can see a fairly abusive email (the sender knows I am no longer called ‘Matthew’, and knew that at the time of sending the email, they also knew that the address is one I keep for legacy only and rarely read it), one that needs tracing to the source. This one is fairly simple as unlike spam it doesn’t contain fake headers… Ok first a few things starting with the most important rule..

  1. You can only trust the headers generated by your server (your means your ISPs server or one you own.)
  2. Received headers in all modern servers are read from the top down (ie latest goes at the top)

So the headers:

Received: from [192.168.1.100] (c121-71.i07-31.onvol.net [92.251.121.71])
	by nemesis.sorbs.net
	(iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net> for matthew@sorbs.net; Wed,
	23 Feb 2011 06:19:07 +1000 (EST)

So in this case we have one header, so for this example, it’s simple.. it was sent directly to my server either by a registered user, or by some trying to send unauthorised emails. In this case I know that Katie Crothers was a registered user (as I am the server administrator) but lets analyse the line a bit more and see what we can gleen in information.

The first part of the line [192.168.1.100] is the command used by the client when connecting to the server and issuing the identifying command HELO in this case it is the correctly formatted IP address of the local host on the local network.  The second part (c121-71.i07-31.onvol.net [92.251.121.71]) is the server checked and logged connection. The IP address 92.251.121.71 is the host that actually connected to the server (in this case a home network/DSL/Cable router) the name c121-71.i07-31.onvol.net is the verified hostname of the connection (as provided by the ISP). Using geo-location services we know the host is a connected Melita Cable modem not far from the Naxxar Police station in Naxxar, Malta.

The second part of the line: by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar 3 2005)) just identifies the local mail server type and version and is more for debugging purposes than anything.

The third part of the line: ESMTPSA id <0LH100J02CFQR7@nemesis.sorbs.net&gt tells us the connection identifying command was EHLO rather than HELO this is not really useful for our purposes, however <0LH100J02CFQR7@nemesis.sorbs.net&gt is the message ID in the server which is a lot more useful in that it will make finding the log line in the logfiles a lot easier to find.

The forth part of the line: for matthew@sorbs.net tells us the destination email address as the server saw it. This cannot be faked, unlike the one in the To: line further in the headers as it tells the server how and where to deliver the email, where the To: line is for informational purposes with reference to the email reader only.

The rest of the headers are irrelevant for the purposes of this article and should be self explanatory with the exception of the line Original-recipient: rfc822;matthew@sorbs.net which is a copy of the destination email address used to tell the server how to route the email.

Ok on to something a little more realistic for tracing spam:

Return-path: <alison@isux.com>
Received: from catapilla.sorbs.net (catapilla.sorbs.net [113.52.8.151])
	by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTP id <0LHA00840VAD00@nemesis.sorbs.net> for michelle@shellsshots.com;
	Mon, 28 Feb 2011 09:44:37 +1000 (EST)
Received: from vampire.isux.com (c190-211.i02-8.onvol.net [213.165.190.211])
	by catapilla.sorbs.net (Postfix) with ESMTP id 5F8B42E0D5 for
	<michelle@shellsshots.com>; Mon, 28 Feb 2011 10:44:35 +1100 (EST)
Received: by vampire.isux.com (Postfix) id E7FF3C23A; Mon,
	28 Feb 2011 10:48:53 +1100 (EST)
Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;
Mon, 28 Feb 2011 10:48:50 +1100 (EST)
Date: Mon, 28 Feb 2011 10:48:50 +1100 (EST)
From: alison@isux.com
Subject: RE: Your invoice from VIAGRA - #5187
To: alison@isux.com
Message-id: <20110227234852.B58F5B901@vampire.isux.com>
MIME-version: 1.0
Content-type: text/html; charset=ISO-8859-1
Content-transfer-encoding: 7bit
Delivered-to: alison@isux.com
Original-recipient: rfc822;alison@isux.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <
html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="application/xhtml+xml; charset=UTF-8"/>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="width: 896px">
<tr><td align="center" style="font: normal 11px Verdana, sans-serif; color: #333;">
<a href="http://usadoctorpills6.ru" style="text-decoration: none; color: #0099ff;"
>Click here!</td></tr>

<tr><td align="center">
<br/>
<a href="http://usadoctorpills6.ru"><img src="http://usadoctorpills6.ru/1.jpg" 
style="border-width: 0px"/></a></td></tr>
</table>
</body>
</html>

In this case we have more received headers:

Received: from catapilla.sorbs.net (catapilla.sorbs.net [113.52.8.151])
	by nemesis.sorbs.net (iPlanet Messaging Server 5.2 HotFix 2.05 (built Mar  3 2005))
	with ESMTP id <0LHA00840VAD00@nemesis.sorbs.net> for michelle@shellsshots.com;
	Mon, 28 Feb 2011 09:44:37 +1000 (EST)
Received: from vampire.isux.com (c190-211.i02-8.onvol.net [213.165.190.211])
	by catapilla.sorbs.net (Postfix) with ESMTP id 5F8B42E0D5 for
	<michelle@shellsshots.com>; Mon, 28 Feb 2011 10:44:35 +1100 (EST)
Received: by vampire.isux.com (Postfix) id E7FF3C23A; Mon,
	28 Feb 2011 10:48:53 +1100 (EST)
Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;

In this case the headers are read from the top down, now I own/manage the hosts nemesis.sorbs.netcatapilla.sorbs.net and vampire.isux.com so reading the ‘by’ part of each received line we know we can trust all these headers.  We also know that the headers are ordered as ‘latest first’ from top down, which means the last server that I own in the headers added the last header:

Received: from 189-68-86-125.dsl.telesp.net.br (189-68-86-125.dsl.telesp.net.br [189.68.86.125])
	by vampire.isux.com (Postfix) with SMTP id B58F5B901 for <alison@isux.com>;

The delivering host was 189.68.86.125 which identified itself as the same as it’s official hostname 189-68-86-125.dsl.telesp.net.br (a Brazilian host) again using Geo-location services such as http://www.maxmind.com/ we know the host is located in Sertãozinho, Sao Paulo, Brazil.

I will be posting a follow up article to this at a later date with more technical information.  Feel free to subscribe to the RSS feed to get the updates.

ИЩЕМ ХОЗЯЕВ!

На автобусной остановке найден маленький щенок (ему по виду 2 месяца), похож на лабрадора, очень ласковый, ручной, приучен к газетке. Наверное кто- то поиграл и выбросил, и я нашла его в снегу. Очень бы хотелось найти для малыша добрых и любящих хозяев! Откликнитесь!

Ищем хозяев!

 

A home has been found for him. Thank you all!